Patent Application
20240236673
Facilities, such as buildings, may have complex lighting systems that are used to both provide light and to monitor and manage nearby devices. These lighting systems can comprise an array of lighting fixtures, each lighting fixture including sensors and wireless communications technology to relay information, such as sensor information. Additionally, the lighting system may include components such as a mobile device, for example, a mobile phone, that includes a mobile application to control various features of the lighting system.
Lack of cloud connectivity in a network brings in multiple constraints on handling of features such as device authentication. Device authentication involves identifying a remote device, such as a lighting fixture, and verifying that remote device's credentials. Normally, if cloud connectivity is available, then these constraints are overcome easily as all the remote devices have a common server to synchronize with. However, when there is no network connectivity, it is difficult, if not impossible, to authenticate the remote devices.
One method used to authenticate remote devices is public-key cryptography. This method is based on a key pair that includes a public key and a private key. Data that has been encrypted with a public key can be decrypted only with the corresponding private key. Conversely, data that has be encrypted with a private key can be decrypted only with the corresponding public key. A certificate verifies that the entity is the owner of a particular public key.
There is a need to provide a safe method to identify whether or not a remote device is valid. If the needed decryption keys for authentication are stored on the mobile device, there is a possibility that the sensitive key information may be vulnerable to unauthorized users. Otherwise, if the decryption key information is maintained in the cloud, there is a dependency on the network connectivity. Thus, in areas where there is no network connectivity and hence no access to the cloud, it is desired to have an authentication device and corresponding method that can verify the remote device and safely maintain the decryption keys.
An authentication device/method that works in conjunction with a mobile device and can verify the validity of a remote device located in an area where there is no network connectivity is provided. Advantageously, the authenticator device can provide the needed certificates to the remote device so that it knows it is communicating with a valid mobile application on a mobile device.
An authenticator device is a portable device that includes memory, a communications interface, and a controller. The controller receives authentication information from a cloud network via a communications interface, stores the authentication information in the memory, and authenticates a device utilizing the authentication information when the authenticator device and the device are not connected to the cloud network.
A method to authenticate a wireless device in an offline environment includes connecting an authenticator device to a cloud network, receiving an authentication key and a certificate by the authenticator device from the cloud network, storing the authentication key and the certificate in internal memory of the authenticator device, establishing a connection by the authenticator device to a mobile device when the authenticator device is not connected to the cloud network, the mobile device including a mobile application that communicates with a remote device, and authenticating the remote device by the authenticator device via the mobile application utilizing the authentication key.
An authentication system includes an authenticator device including memory and a controller wherein the controller receives an authentication key and a certificate from a cloud network via a communications interface and stores the authentication key and certificate in the memory, a wireless remote device, and a mobile device including a mobile application that communicates with the authenticator device and the wireless remote device. The authenticator device authenticates the wireless remote device via the mobile device when the authenticator device and the wireless remote device are not connected to the cloud network.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
To easily identify the discussion of any particular element or act, the most significant digit or digits in a reference number refer to the figure number in which that element is first introduced.
The mobile application 110 configures the remote devices 102 (i.e., provisioning) into the mesh network 104 and controls features on the remote devices 102 via a mobile application 110 running on the mobile device 112. In order to ensure that this provisioning operation is done securely, the mobile application 110 and the remote device 102 authenticate one another to make sure that the remote device 102 is a valid device and that the mobile application 110 is valid to communicate with the mesh network 104. When there is cloud connectivity, the mobile application 110 communicates directly with a cloud network in order to conduct this validation via a cryptographic application in the cloud network. However, many times the remote devices 102 are located in areas without cloud connectivity.
Thus, in order to solve this issue, the inventors present an authenticator device that can authenticate both the mobile application 110 and remote device 102 and/or remote devices 102 configured in a wireless mesh network 104 when the mobile application 110 cannot connect to the cloud network.
A controller 202 on the authenticator device 200 communicates with the cloud network when there is cloud connectivity to receive the authentication keys and the certificate and stores the authentication keys and certificate in the memory 208. Then, when there is no cloud connectivity, the controller 202 can securely identify a valid device (i.e., a remote device 102 or the mobile application 110) in the wireless environment. The authenticator device 200 also includes a real time clock 206 that is synchronized with the current time when the authenticator device 200 is connected to the cloud network.
The authenticator device 200 communicates to the cloud network 306 when there is cloud connectivity (i.e., an online mode) via a communications interface 302 that may be ethernet, Wi-Fi, BLE, or any other wired or wireless network protocol which can be used to communicate to remotely, i.e., to the cloud network or a remote server in order to share the needed certificate and authentication keys. In the online mode, the authenticator device 200 will download a set of encrypted authentication keys, for example a public key, private key pair as described above, and the certificate to validate the mobile application 110 installed on the mobile device 112. Alternately, instead of connectivity with the cloud network 306, the authenticator device 200 can connect to an on-premise server having the stored authentication keys and certificate in order to receive the authentication keys and certificate. The authenticator device 200 will then store these authentication keys and the certificate in its memory 208. In addition, the authenticator device 200 can synchronize its real time clock 206 with the current local time during its communications with the cloud network 306 in the online mode.
When there is no cloud connectivity, for example, when the user is at a remote site, the authenticator device 200 may be used in conjunction with the mobile device 112 running the mobile application 110 to authenticate a remote device 102 or remote devices 102 configured in a mesh network 104 in an offline mode. The authenticator device 200 connects to the mobile application 110 using a Wi-Fi connection 304. The mobile application 110 can connect to the mesh network 104 via the BLE 5.0 protocol or other protocol supported by both the mobile application 110 and the remote device 102.
Once the authentication keys and certificate are received by the authenticator device 200, it is ready to authenticate a remote device 102 in an offline environment without cloud connectivity. The certificate will be used by the remote device 102 to verify that the mobile application 110 on the mobile device 112 is valid. The authentication keys are used by the mobile application 110 to verify that the remote device 102 or mesh network 104 of remote devices is valid.
In the offline mode 404, the authenticator device 200 establishes a Wi-Fi connection 304 with the mobile application 110. The mobile application 110 on the mobile device 112 is then ready to communicate to the authenticator device 200. Once the connection is established to the authenticator device 200, the mobile application 110 will request the certificate which is in an encrypted format that cannot be read or decoded by the mobile application 110. In this way, the certificate should not be able to be accessed by an adversary or corrupted by a virus that may exist on the mobile application 110. The mobile application 110 merely passes the certificate to the remote device 102 that is capable of decoding the certificate. The certificate is not stored in the mobile application. In addition, in the offline mode 404, the local time from the real time clock 206 may be shared with the remote device 102 to synchronize the remote device 102 to the local time and/or to the remote server.
In order to authenticate the remote device 102, the mobile application 110 scans the remote device 102 for an encrypted string. The encrypted string is sent to the mobile application 110 in a response. The mobile application 110 passes the encrypted string to the authenticator device 200 where it is decrypted using the authentication key. From the decryption, the authenticator device 200 can determine whether or not the remote device 102 is a valid remote device. If it is a valid device, the remote device 102 is authenticated and the remote device 102 is displayed in a list of valid remote devices on the mobile application 110. In a configuration of the mesh network 104 by the mobile application 110, the remote device 102 can be added to the mesh network 104. If the authenticator device 200 determines the remote device 102 is not a valid device, a negative acknowledgement will be sent back to the mobile application 110 and the remote device 102 will not be displayed in the list on the mobile application.
The certificate is used to authenticate the mobile application 110. Firmware of the remote device 102 includes a decryption algorithm that it applies to the certificate to determine if the mobile device 112 is a valid mobile device. The remote device 102 does not communicate with the mobile application 110 until the certificate is validated.
Once both the mobile application 110 and the remote device 102 are validated, the list of authenticated remote devices 102 will be transmitted to the authenticator device 200 where it will be stored in the internal memory 208 until cloud connectivity is restored. At this time, the cloud network 306 will be synchronized with the authenticator device 200 and receive the list of authenticated and configured remote devices 102.
If during communication between the mobile application 110 and the remote device 102, the communication is terminated, when communication is reestablished, the remote device 102 will request the certificate from the mobile application again in order to reverify that the mobile application 110 is valid.
In an embodiment, another layer of encryption may be utilized to prevent a malicious device from accessing the encrypted string from the mobile application 110 by imitating a valid remote device. After receiving the encrypted string from the mobile application 110, the authenticator device 200 may then send a random encrypted equation back to the remote device 102 via the mobile application 110. The random encrypted equation may be received from the cloud network 306 when the authenticator device 200 is in the online mode 402. The remote device 102 decodes the encrypted equation, solves the equation, encrypts the answer to the equation, and sends the encrypted answer back to the authenticator device 200 via the mobile application 110. The equation may change randomly. The random equation may be deleted from the authenticator device's internal memory 208 after a fixed time period. Similarly, to the certificate and the encrypted string, the fixed time period may be seventy-two hours, however, other time periods may also be used.
Although the subject matter has been described in language specific to structural features and/or acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as examples of implementing the claims and other equivalent features and acts are intended to be within the scope of the claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 202311001945 | Jan 2023 | IN | national |
